On March 3, 2023, Google Chromium put forth a proposal advocating for shortening the validation period for TLS certificates from 398 days to 90 days.The 398-day validation period was enforced by leading web browsers (namely, Mozilla Firefox, Google Chrome, and Apple Safari). Apple has, in no uncertain terms, stated that "a validity period greater than 398 days will not be trusted by Apple’s Safari browser and iOS/iPadOS/watchOS/tvOS devices." Such a disruptive move can lead to major changes in the way enterprises manage their SSL/TLS certificates.
The primary reason behind the push for 90-day validity is to enhance web security by minimizing the risks associated with compromised keys. By reducing the validity period to 90 days, any security flaws or breaches can be quickly mitigated, thus limiting potential damage. This approach also promotes the use of automated certificate management, which ensures that certificates are regularly renewed and kept up to date, further strengthening the overall security posture of web communications.
While the exact implementation date isn't clear yet, the mandate for 90-day SSL/TLS certificates is expected to go into effect sometime in the second half of 2024. However, organizations are encouraged to start preparing now by exploring automation solutions to ensure a smooth transition when the mandate is officially implemented.
The 90-day certificate policy is expected to provide preemptive security and help organizations stay ahead of emerging threats. In other words, it will ensure that the latest encryption standards and most secure protocols are duly incorporated, and it will also limit any risks arising from compromised certificates because the shorter lifespan will diminish the possibility of exploitation.
According to Chromium, "more timely domain validation will better protect domain owners while also reducing the potential for a CA to mistakenly rely on stale, outdated, or otherwise invalid information resulting in certificate mis-issuance and potential abuse." This just goes to show that the management of SSL/TLS certificates alone won't suffice; organizations will also have to periodically review their domains every 90 days.
Furthermore, compliance with the 90-day certificate mandate means that organizations must adopt more rigorous certificate management practices. This involves not only increasing the frequency of certificate renewals but also ensuring that the processes for issuance, deployment, and renewal are efficient and secure. However, this mandate could also introduce operational overheads for organizations where certificates are managed manually.
No, it may just be the beginning. The prevailing need to stay ahead of cybersecurity threats means that the discussion around certificate lifespans will likely persist. Because this shift towards short-lived certificates could help bolster security, the industry might eventually see a rise in demand for short-lived or ephemeral certificates.
This is due to many reasons and the business benefits that shorter certificate lifespans offer, including:
When certificate lifespans are shorter, they leave little space for attackers to exploit vulnerable or compromised certificates. This circumvents potential damage or data theft because certificates do not stay compromised for long due to swifter renewals.
Furthermore, short-lived certificates ensure that the metadata associated with certificates is periodically reviewed and validated, increasing the reliability and trustworthiness of certificates.
SSL/TLS certificates aren't limited to just web browsers. They are essential for securing communications and data transfers across mission-critical entities, such as email servers, directory services, engineering workloads, load balancers, IoT and OT devices, VPNs, and remote connections. While the 90-day certificate proposal primarily targets browser certificates, this move could indirectly benefit the management of certificates used by other critical entities as well.
As short-lived certificates become the norm, certificate authorities (CAs) will eventually extend 90-day certificates to non-browser entities, which could have a positive ripple effect on overall certificate management. Thus, organizations could benefit from a more secure, streamlined approach to managing certificates across all their critical endpoints.
Managing certificate renewals manually is generally fraught with risks. Manual processes are labor-intensive and prone to human error, increasing the likelihood of missed renewals and expired certificates. Additionally, in the event of unexpected outages, it is crucial to revoke certificates immediately to restore operations. When the 90-day certificate mandate is enforced, IT staff will have to renew and revoke hundreds of thousands of certificates four times a year.
For many organizations, this presents the ideal chance to shift gears to automation when it comes to managing the life cycles of TLS certificates from end to end. This includes automating the periodic discovery, renewal, and timely revocation of certificates, thereby reducing the attack surface and minimizing the risk of human error.
To mitigate potential security risks and maintain a strong security posture, enterprises require an automated, end-to-end solution for SSL/TLS certificate life cycle management (CLM). Such a solution encompasses not only certificate issuance and renewal but also the crucial task of frequent domain reverification. By embracing automation, organizations can ensure the continued validity and security of their digital certificates, fostering trust and preventing potential exploitation.
Organizations can automate certificate discovery, issuance, and renewal by implementing a solution that incorporates one of the most widely adopted protocols: Automatic Certificate Management Environment (ACME). ACME automates the entire process of certificate management, from requesting and issuing certificates to renewing and revoking them. By integrating ACME with their systems, organizations can ensure that their certificates are always current without the need for manual intervention.
Automated CLM solutions typically incorporate ACME and streamline the entire certificate life cycle, from issuance and deployment to renewal and revocation. These solutions reduce the risk of human error, ensure timely renewals, and provide better visibility and control over your certificate inventory.
An automated CLM solution offers several business benefits, such as:
Efficiency: Reduces the time and effort required for certificate management, freeing up IT resources for other critical tasks
Accuracy: Minimizes the risk of human error, ensuring that certificates are renewed on time and reducing the likelihood of expired certificates
Scalability: Handles large volumes of certificates, making it easier for organizations to manage their digital assets as they grow
Security: Enhances security by ensuring that certificates are always up to date and by providing real-time visibility over the certificate landscape
The shift to a shorter certificate lifespan necessitates a proactive approach to certificate management. Organizations must adapt their processes to handle more frequent renewals and ensure that their systems are always secure. This involves not only implementing automation but also regularly reviewing and updating security policies and practices.
Here are some best practices to help you begin the journey:
TLS CLM tools like ManageEngine Key Manager Plus will play a crucial role in helping organizations comply with the 90-day certificate mandate. Key Manager Plus offers a comprehensive suite of features for managing the entire certificate life cycle, including:
Automated discovery: Periodically scan your network to discover all SSL/TLS certificates nestled within servers, load balancers, workloads, directories, certificate stores, and CAs.
Centralized management: Manage all certificates from a single console that provides a unified view of the certificate landscape.
Vulnerability scanning: Scan for, identify, and provide timely alerts on critical vulnerabilities such as POODLE SSL and Heartbleed.
Automated renewal: Renew certificates on the go before they expire, ensuring continuous compliance and high service availability.
Timely deployment: Deploy certificates on target endpoints with zero manual intervention.
Extensive integrations with CAs: Automate certificate procurement and issuance from leading third-party CAs.
Reporting and alerting: Generate detailed reports and receive real-time alerts about expiring or compromised certificates.
The transition to 90-day certificates represents a significant operational shift, and a failure to comply could result in dire consequences. The costs of noncompliance extend beyond financial penalties. Expired certificates can lead to website outages, which can damage an organization's reputation and result in lost revenue.
Additionally, compromised certificates allow attackers to intercept and manipulate sensitive data, leading to data breaches and other security incidents. The reputational damage from such incidents can be long-lasting, harming customer trust and loyalty. Moreover, organizations that fail to manage their certificates effectively may face noncompliance fines and legal repercussions.
With the 90-day certificate policy around the corner, now is a good time for organizations to take stock of their current certificate management routines and incorporate CLM automation as part of their security hygiene. If you do not have an automated solution in place already, you can get started on your CLM journey with Key Manager Plus. Download a free, 30-day trial to gain hands-on experience with Key Manager Plus, or talk to our experts to understand how we can streamline your CLM journey.